SSL is CPU Intensive

If you haven't already enabled SSL session caching, do that NOW.
But what if you have many unique requests and your load balancer is maxing out it's CPU?
That was the case with WakaTime's load balancer, because as you use the WakaTime plugins you are constantly making requests to our api saying you're still working on a project.
We had one load balancer terminating SSL in front of multiple app servers running our Flask app.
The Flask app servers handled the requests just fine, but the load balancer was maxing out all 16 cores negotiating SSL handshakes.

Proxying TCP instead of HTTP

The solution is to proxy TCP instead of HTTP.
The load balancer no longer terminates SSL, it just passes the TCP connection on to your app servers unmodified.

This tells haproxy to setup a Layer 4 proxy to forward all TCP connections unmodified to the two nginx servers using roundrobin to balance the connections.
The nginx app servers will share the load of negotiating SSL and parsing the HTTP requests.

Forwarding the User's Real IP using Proxy Protocol

Proxy Protocol forwards the originating client's IP address from haproxy to nginx without having to modify the HTTP request headers.
To enable Proxy Protocol in haproxy, add the send-proxy keyword to your /etc/haproxy/haproxy.cfg file:

Notice how we told nginx to trust the IP address of your haproxy load balancer 10.0.0.10 to give us the client's real IP.
SSL is distributed among your two nginx app servers, and your nginx log files show the correct client IP address for each request.